From: AsiaCloudForum

By Carol Ko

In the absence of cloud-specific industry standards, cloud data center operators are relying on widely accepted industry standards as the quality seals for the info-security practices at their data centers

One such standard is the ISO27001, short for “ISO/IEC 27001:2005 — Information technology — Security techniques — Information security management systems — Requirements” that was published in 2005 by the International Organization for Standardization.

The ISO27001 certification covers a broad range of security controls from the physical environment in which customer solutions are hosted, accessed and monitored through to the logical system-based controls employed to manage electronic access.

“ISO27001 is a must”

In Hong Kong, the Office of Government Chief Information Officer is working to build its first outsourced government private cloud, which is targeted to roll out in later 2013.

“ISO27001 is a must,” said Daniel Lai, the Hong Kong government CIO, as he spoke about OGCIO’s security requirements on the data center which is to run its outsourced private cloud (aka GovCloud). The other info-security requirements for hosting GovCloud included intrusion detection, anti-virus and anti-malware measures, identity and access management system, as well as end-to-end data encryption along data processing and transfer.

On October 18, the US-based cloud and managed hosting company Rackspace announced it received ISO27001 accreditation for its Hong Kong data center. Rackspace currently runs eight other data centers worldwide, four of which obtained ISO27001.

Rackspace runs its Hong Kong data center on a PCCW Solutions facility in Fo Tan, New Territories. Currently occupying a data center floor space exceeding 11,000 sq ft, Rackspace plans to further expand it to meet increased data center demands.

Besides ISO27001, Rackspace’s Hong Kong data center is also said to be compliant with SOC1, PCI-DSS (Payment Card Industries Data Security Standard), and ISAE (International Standards for Assurance Engagements) Number 3402 for assurance reporting on controls in a service organization.

Besides Rackspace, Equinix and NTT Com Asia also had their Hong Kong data centers accredited with ISO27001. While three of four Equinix’s data centers were ISO27001-compliant, the NTT Communications Hong Kong Data Center was also accredited with ISO27001 on information management, as well as ISO 9001 on quality management system.

In an interview with Asia Cloud Forum, Rackspace’s Vice President, Legal International Tiffany Lathe (pictured) explains the steps taken by Rackspace to acquire ISO27001 for its Hong Kong data center. Interview excerpts below:

Asia Cloud Forum: What controls does Rackspace Hong Kong data center implement to ensure ISO27001-compliant?

Tiffany Lathe: Rackspace has implemented the following physical and environmental controls within its data centers to ensure adequate security and compliancy to our ISO27001 certification:

Two-factor authentication — Two-factor authentication is required to gain access to the all data center facilities. Electromechanical locks are controlled by biometric authentication and key-card/badge.

Staff access control — Access to secure sub-areas is allocated on a role specific basis. Only authorized data center personnel have access to data halls. Sensitive equipment such as plant and information processing facilities, including customer servers, are housed in secure sub areas within the secure perimeter and are subject to additional controls. Centralized Security Management Systems are deployed at all data centers to control the Electronic Access Control Systems and CCTV networks.

Visitor access control — Visitor access to the data centers must be granted by specifically authorized approvers before the scheduled visit. Unauthorized visitors are not permitted access to the data centers. Visitors must present photographic ID on logging in. Visitors are strictly escorted at all times. All visitor access is logged. This policy applies equally to Rackspace employees not assigned to the data center is question. Visitors, including customers, are strictly forbidden from accessing the data halls themselves and other secure sub areas.

Power redundancy — Rackspace data centers feature N+1 redundant HVAC (Heating Ventilation Air Conditioning) units, which provide consistent temperature and humidity within the raised floor area. HVAC systems and chillers are inspected regularly (at least quarterly) and air filters are changed periodically. Redundant lines of communication to telecommunication providers provide Rackspace customers with failover communication paths in the event of data communications interruption.

Uninterruptible power supplies — Rackspace data centers are equipped with uninterruptible power supplies (UPS) to mitigate the risk of short-term utility power failures and fluctuations. The UPS power subsystems are N+1 redundant with instantaneous failover in the event of a primary UPS failure. The UPS systems are inspected at least twice annually.

The Rackspace Hong Kong data center is also said to be compliant with ISAE No. 3402. How was the evaluation done?

Lathe: In order to obtain ISAE3402 Rackspace has to undergo a series of in depth external verifications and assessments by Ernst & Young, whereby they sample security outputs and test our security policies and practices both within the office and data center environment.

What other accreditations does Rackspace target to obtain next?

Lathe: We do not have further plans to obtain any further certifications in the meantime.